AI Documentation Isn't Enough Anymore. Regulators and Buyers Want Technical Evidence.

Written By Chris Cook

Should your investment be directed toward AI documentation or technical evidence for the best defensibility?

Auditors and regulators are shifting from "show me your policy" to "show me your evidence" now that AI implementations are maturing and being deployed in production; the governance work most enterprises have done so far doesn’t answer the second demand.

The Situation

By 2026, you have an AI governance policy. You may also have an AI risk register, an acceptable use standard, and even a model inventory. However, a new standard, AIUC-1, has been deployed by a broad-based consortium that includes AI industry leaders like JP Morgan, Salesforce, and Databricks, and is asking a harder question now that AI is maturing: can you demonstrate - with technical evidence - that your AI systems behave as expected under adversarial conditions? UiPath recently became the first enterprise automation company to earn the AIUC-1 certification, passing over 2,000 adversarial test scenarios covering AI risks such as prompt injection, data exfiltration attempts, and hallucination triggers. The dilemma you’re facing now is whether you'll be measured against the standard you prepared for, or against the one that's replacing it.

The Exposure

AI governance is following the same maturity curve cybersecurity went through between 2010-2015, when SOC 2 went from “nice-to-have” to a business requirement in order to win enterprise deals. Companies that earned the SOC 2 designation early closed contracts 30-40% faster than competitors who were still answering custom security questionnaires. That same dynamic is happening with AI: enterprise buyers are asking vendors for proof their AI systems behave as claimed, backed by technical results, not just policy documentation. The leading companies are already producing technical evidence today, and enabling contractual expectations and norms that competitors will struggle to catch up with. You need to be in the former group.

The Judgment Call

You could argue that AIUC-1 is too new, that the certified vendor list is still short, and most regulators haven't formally adopted it yet. Waiting until the standard becomes mature would let you avoid implementing against a moving target, and seems like a reasonable position. But it misses a fundamental business reality: standards actually become required when enterprise buyers start asking for them in procurement, not when regulators start issuing new guidance. That shift is already happening. By acting now on the emerging standard, you can shape your governance program around it and manage the compliance timeline on your schedule; late movers will need to conform to the standard as-is and won’t have flexibility.

  • Risk: Internal pushback from overworked teams who view this as duplicative of existing ISO 42001 or NIST AI RMF initiatives.

  • Benefit: You shorten enterprise sales cycles and enable agentic AI deployments that your risk function can now confidently support.

This Week’s Action

  • What to do: Identify your three highest-risk AI use cases based on customer-facing exposure, sensitive data access, or autonomous decision authority, and request current technical evidence of adversarial testing, control design, and monitoring for each.

  • Who to involve: Your CISO or AI/ML engineering lead, with review by Internal Audit of evidence sufficiency.

  • What outcome to achieve: A clear inventory of which AI systems have complete testable evidence today and which have only documentation; this becomes the basis for your AIUC-1 readiness assessment.

  • Time required: <60 minutes to initiate, 5–7 business days for the team to return findings.

Artifact

Check that your team can demonstrate these three items by the end of the week:

  1. AI Use Case Register: A current list of production AI systems ranked by risk exposure, data sensitivity, decision authority, and customer-facing status.

  2. Adversarial Test Log: Evidence of structured testing covering prompt injection, data exfiltration, hallucination, and boundary violations within the last 90 days.

  3. Control Evidence File: Documentation that technical safeguards (input filtering, output monitoring, access controls) are operating as designed, with logs to prove it.

If they can’t provide all three, then you're operating on documentation alone and your next step is a remediation roadmap with prioritized gaps, assigning owners and timelines, mapped to AIUC-1 controls.


When the stakes exceed your internal capacity:

  • AI Exposure Diagnostic: A 2-hour strategic evaluation for risk, compliance, and legal leaders to identify your highest-priority governance gaps and deliver a 90-day remediation roadmap.

  • 12-Week Governance Sprint: Translate regulatory requirements into audit-ready policies, control frameworks, and accountability structures.

  • Ongoing Advisory Retainer: Embedded judgment for policy updates, vendor assessments, and board prep as regulations and technology evolve.

Reply with "Diagnostic" or “Sprint” to schedule a conversation for next month.

Chris Cook writes Judgment Call weekly for compliance and risk officers navigating AI governance.

Former IBM Vice President and Deputy Chief Auditor. Published in the AI Journal, speaker at Yale.

Chris Cook

Managing Partner & Founder

Blackbox Zero

Forwarded this by a colleague?Subscribe to Judgment Call

Chris Cook
Next

Who Can Pull the Plug on a Harmful AI System Without a Committee Vote?